Skip to content

Subject lines are not HTML-escaped #46

Closed
paulschreiber opened this Issue Aug 23, 2012 · 1 comment

2 participants

@paulschreiber

Subject lines are not HTML-escaped. If your subject line is

Hello <world>

You will see:

Hello

Here's the HTML letter_opener generates:

<dt>Subject:</dt>
<dd><strong>Hello <world></strong></dd>
@paulschreiber

Looks like this is an easy fix in the erb:

<dt>Subject:</dt>
<dd><strong><%= mail.subject %></strong></dd>

Change to:

<dt>Subject:</dt>
<dd><strong><%= h mail.subject %></strong></dd>
@ryanb ryanb closed this in 5415538 Oct 1, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.